Retrospective and Crystal Ball

Jeff Schiller

Today, as when Jeffrey Schiller made this statement about IP security, the Massachusetts Institute of Technology network manager is area director for security on the Internet Engineering Steering Group (IESG), a subgroup of the mammoth Internet Engineering Task Force (IETF).

Schiller built his alma mater's network in 1984 and has become one of infosec's most vocal and respected leaders. He's railed against numerous initiatives over the years, from the U.S. government's failed Clipper Chip that threatened private online communication to the chilling effect on security research under the current Digital Millennium Copyright Act.

His role in the IESG and IETF has given him opportunities to act as an advocate for more secure Internet protocols. The jury's still out on the extent of security's increased visibility within IP, but there's no doubt progress has been made.

"Five years ago, we had a terrible time getting protocol designers and software implementers to take security seriously," Schiller says. "No one could come out and say that they didn't believe in it, but they were not willing to put time and effort into doing it right.

"Now we are in a new phase. Designers and implementers want security, but they don't really know how to do it, so they want to ignore the problem and then get someone else to 'add security' later."

That approach is a mistake, Schiller says. "Unfortunately, security is not one of those things that does well when added later. And we don't have a lot of people in the security area to go around and fix every protocol."

What needs to be done now, he says, is to gain more of an industry consensus that security is necessary. People must be better educated so that stronger security is included in more protocols.

"I believe the IETF does better security work than most industry consortiums. Industry groups tend to look for the quick fix to the security problems that the papers are writing about. They don't tend to take as long a view as the IETF does."

Philip Jan Rothstein

In one of Information Security's first cover stories, disaster recovery expert and frequent contributor Philip Jan Rothstein predicted problems for companies that don't have contingency plans to respond to natural and manmade disasters.

Charles Cresson Wood

Prolific author Charles Cresson Wood correctly predicted the role of the CISO would change dramatically at the turn of the century, but not because of the Millennium Bug. Instead, he admits, terrorist attacks on U.S. soil last September raised the security officer's role in government and corporate America.

"Certainly the visibility of the information security function has increased markedly," says Wood, a CISSP and security consultant in Sausalito, Calif. "And although the money hasn't shown up yet, it's clear this particular subspecialty within IT is getting its share of whatever increases there are in the IT budget."

The title CISO will increase in prevalence during the next five years, Wood predicts, as information protection becomes more critical to companies, particularly health care and financial services now charged by federal regulators with proving customer data is secure. "The more intensive the information handling, the greater the need for information and thus, in my own opinion, the higher the information security manager will be placed in the management hierarchy."

Proof of concept includes credit card company Visa, which now has a senior vice president of information security who reports directly to the firm's president and has influence on the business as a whole.

Wood hopes to see more information security officers reporting to top management through different corporate channels, such as legal departments or their own units. Having security officers work within IT can create conflicts, since IT managers tend to favor functionality and ease of use over security.

"I certainly favor moving the whole group out of IT and placing it in another group to get around the conflict of interest that has kept information security down and caused many problems," he says.

These days, Wood continues to wield his prolific pen, having authored more than 275 magazine articles and six books on information security.

Jim Wayman

Jim Wayman's argument that biometrics is primarily a convenience was in response to a question posed in one of Information Security's first Q&As. Even now, the former director of the U.S. Biometrics Center says, "That's still a real good quote."

Wayman still works primarily with the U.S. government in biometrics, but has changed titles to the more academic sounding "senior fellow" at San Jose State University in California. He still believes tools such as iris and fingerprint scanners should be touted for their convenience, but admits Sept. 11 put increased emphasis on their security function.

"It's going to be hard to know how these technologies can be applied to increase national security. They might be an added tool, but it will require a lot more human intervention. We're not just going to turn these machines on and start catching terrorists," he says.

Because he works primarily for the government, Wayman says he was irritated with the way some biometrics vendors tried to capitalize on Sept. 11 by suggesting their technology could have prevented the terrorist attacks.

"No, the government didn't have this stuff in place, precisely because it had been working on it and knew its limitations and didn't find any value for the costs involved. The government has been on top of this; the government's position hasn't changed," he says.

That doesn't mean biometrics can't become a viable security solution in the future. "The jury is still out. We'd like to figure out if there's some way biometrics can be used for national security."

Wayman doesn't like to go out on a limb with predictions. At a government meeting in January 2000, he was asked if biometrics would be on weapons systems within five years. By then, the U.S. government had been researching biometrics for two decades, and his response disappointed the audience. In five years, he predicted, biometrics research would only be 25 percent further along.

Fundamental research remains key to unlocking biometric's future. Five years from now, he offers, "we'll be 20 percent further along than we are now."

Susan Landau

Richard M. Smith

By "it," Richard M. Smith was referring to the predicted fallout from his discovery--and disclosure--that RealNetwork's RealJukebox and Microsoft gathered data from their users without them knowing about it. Smith's work helped bring online privacy to the national forefront, and online privacy issues remain a passion and cornerstone of his career today.

"Clearly, since 2000 there's been a lot of discussion about privacy issues with products. I think it has helped," Smith says from his office in Cambridge, Mass., where he is an independent Internet, privacy and security consultant. "I think companies are more careful about what they do in their products and think, 'Do we really need to be using this kind of tracking and surveillance?'

"On the other hand, a way that they deal with it is to simply disclose--tell people what they're doing. And that doesn't make me feel great, because what they usually do is bury it in an obscure license agreement that nobody ever reads. So, it's sort of a CYA type of solution to the issue."

Helping reduce such surveillance was the dot-com bust, which didn't occur until months after Smith's interview was published in Information Security. Many fledgling e-businesses believed money could be made by tracking people, but most went out of business. This shows the business practice was a bust. "The word is getting out that the whole idea of spying on people as a way to make money-i.e., target advertising--doesn't really work. People are backing away from those plans."

That doesn't mean invasions of privacy will disappear, or even decrease in the next five years. On the contrary, Smith expects Internet privacy issues to spill over into the real world as technologies make it easy to snoop. Electronic passes such as Fastrack tags will gather more than tolls, and global positioning systems will be embedded in more devices to track peoples' movements.

"I see wireless networks and the Internet sort of merging, and we'll start seeing privacy issues heading into the cellphone arena," he says. "Our lives will be watched a lot, and we're going to have a lot of the same fights we had with the Internet.

"That concerns me a lot. I see no good here."

Ian Hoenisch

When Information Security spoke with Ian Hoenisch a year ago, he was grappling with the threat of denial-of-service attacks at his Internet-based financial services firm ElephantX.com. 

Stephen Cobb

Richard J. Heffernan

Richard Heffernan has been saying, "Today's trash is tomorrow's news" for years, including in an early Information Security article by David Beardsley on media protection. The founder of infosecurity consultancy R.J. Heffernan & Associates is concerned with the way we dispose of sensitive proprietary information.

"This is still as big a problem as ever," he says, noting that protections have shifted from hard copies to laptops and electronic data that isn't properly protected or destroyed. "As more and more companies become paperless, we'll need to make sure, as information moves electronically, people do more flow analysis for input and access and storage, and make it unrecoverable."

In the next five years, the problem will be aggregated by the proliferation of wireless networks, he predicts. Worse, many victims of information theft won't even know copies left on servers or downloads stored deep in systems have been pilfered.

"Information is the only asset that can be lost, yet no one knows it's missing," Heffernan says.

Jennifer Granick

In January 2001, well before the Digital Millennium Copyright Act (DMCA) was a household name among hackers, Jennifer Granick became clinical director of Stanford Law School's Center for Internet and Society. In an interview with Information Security, the criminal defense attorney expressed hope the Center would raise public awareness in technology legal issues, as well as providing legal assistance to accused hackers. And it's succeeding, she says.

"People are beginning to realize this area of the law is really complicated. Whether it's the anticircumvention provisions of the DMCA or shutting down Napster, Grokster and peer-to-peer file sharing and things like that, people are beginning to realize the law in this area isn't necessarily just or good."

A troubling trend is what Granick describes as the "overprotection and 'over-propertization' of information."

"As we become an information society, we 'propertize' information; we give it the same kind of rules as personal property," she explains. "But the fact is, information is not personal property, and there's a real danger treating it as if it were no different than a chair or handbag."